Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISMDomainsInformation Security Risk Management
CISMFree — No Signup

Information Security Risk Management

Practice CISM Information Security Risk Management questions with full explanations on every answer.

95questions

Start practicing

Information Security Risk Management — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISM Domains

Information Security ProgramInformation Security Risk ManagementInformation Security GovernanceIncident Management

Practice Information Security Risk Management questions

10Q20Q30Q50Q

All CISM Information Security Risk Management questions (95)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A financial institution is implementing a new online banking platform. The risk assessment identified that the authentication module has a high likelihood of exploitation due to weak password policies. The risk owner has decided to implement multi-factor authentication (MFA) to reduce the risk. This is an example of which risk response strategy?

2

An organization has a risk appetite that allows for a maximum residual risk level of 'medium' for all operational risks. A new project introduces a risk with inherent risk level 'high' and control effectiveness rated as 'partially effective'. The risk owner proposes to accept the risk. As the CISM, what is the best course of action?

3

During a risk assessment, a CISM identifies that the organization's data backup process has a single point of failure. The backup server is located in the same data center as the primary server. Which risk response is most appropriate?

4

A multinational corporation is assessing the risk of data breaches from third-party vendors. The CISM is tasked with selecting a risk treatment strategy. The organization has a low risk appetite for data breaches. Which strategy should be prioritized?

5

In a risk assessment, a CISM calculates the annualized loss expectancy (ALE) for a specific threat. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE, and which risk response is most cost-effective if a control costs $12,000 per year and reduces ARO to 0.05?

6

A company is evaluating its risk management process. The CISM notices that risks are being assessed based on qualitative scales (low, medium, high) but decisions require quantitative data. What is the most effective action to improve the process?

7

Which TWO of the following are key components of an information risk management program, as defined by ISACA? (Select exactly two.)

8

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly three.)

9

Refer to the exhibit. A security analyst reviews the firewall configuration and identifies a potential risk. What is the most likely risk?

10

Refer to the exhibit. A system administrator reviews the log and notices repeated failed SSH attempts from the same IP address. What is the most appropriate risk response?

11

You are the CISM for a mid-sized e-commerce company that processes credit card transactions. The company recently experienced a security incident where an attacker exploited a vulnerability in the web application to gain access to the customer database containing payment card information. The incident response team contained the breach, but the root cause analysis revealed that the vulnerability had been identified in a penetration test six months ago but was not remediated due to competing priorities. The company's risk management framework defines risk appetite as 'moderate' for information security risks. The board is concerned and has asked you to recommend improvements to prevent recurrence. The company has a limited budget and cannot implement all possible controls. Current environment: web application developed in-house, hosted on-premises, with a mix of virtual and physical servers. The security team consists of three people responsible for monitoring, incident response, and vulnerability management. The development team follows an agile methodology with bi-weekly sprints. The company has cyber liability insurance that covers breach response costs up to $2 million. Based on this scenario, what is the most effective course of action?

12

An organization has implemented a new web application that processes sensitive customer data. The risk assessment identified a high likelihood of SQL injection attacks due to insufficient input validation. Which of the following is the BEST risk treatment strategy?

13

An organization is conducting a risk assessment for a new cloud-based HR system. Which THREE of the following are key considerations when evaluating the inherent risk?

14

Based on the exhibit, what is the MOST appropriate next step for the information security manager?

15

A multinational corporation is migrating its on-premises data center to a hybrid cloud environment. The organization processes highly sensitive financial data subject to strict regulatory requirements (e.g., GDPR, SOX). During the risk assessment, the information security manager discovers that the cloud service provider (CSP) stores data in multiple geographic regions, some of which do not meet the organization's data residency requirements. Additionally, the CSP's encryption key management is not fully under the organization's control, and the incident response plan does not include specific procedures for cloud-based breaches. The organization's risk appetite is low, and the board has mandated that all risks must be mitigated to an acceptable level. Which of the following is the BEST course of action?

16

Which of the following is the PRIMARY reason for an information security manager to integrate risk management into the organization's enterprise risk management (ERM) framework?

17

During a risk assessment, an organization identifies a critical vulnerability in a legacy system that cannot be patched. The system's availability is crucial for business operations. Which of the following risk treatment strategies is MOST appropriate?

18

Which of the following are key components of an Information Security Risk Management program? (Select TWO.)

19

An organization has a high residual risk after implementing all feasible controls. According to CISM best practices, which of the following should the information security manager do? (Select TWO.)

20

Match each risk assessment activity with the correct phase of the risk management lifecycle: Activities: 1. Identify assets and threats 2. Determine risk level 3. Select controls to reduce risk 4. Monitor risk over time Phases: A. Risk Assessment B. Risk Treatment C. Risk Monitoring D. Risk Communication (not used)

21

A security manager is evaluating risk treatment options for a high-risk vulnerability. Drag each option to the correct risk treatment category. Options: - Apply a vendor patch - Purchase cyber insurance - Decommission the system - Accept the risk with formal sign-off - Install a WAF (Web Application Firewall) Categories: - Mitigate - Transfer - Avoid - Accept

22

Which of the following is the PRIMARY purpose of an information security risk assessment?

23

An information security manager has identified a risk with a high likelihood and high impact. The cost of mitigating the risk exceeds the potential loss. What is the MOST appropriate risk treatment strategy?

24

During a risk assessment, a security manager discovers that the residual risk after implementing planned controls is still above the risk appetite threshold. What should the manager do NEXT?

25

Which of the following are key components of an information security risk management program? (Select TWO)

26

A security manager is presenting risk analysis results to the board. Which of the following should the manager include to effectively communicate risk? (Select THREE)

27

Order the steps for implementing a security awareness training program.

28

Order the steps for conducting an internal audit of an information security management system (ISMS) based on ISO 27001.

29

Order the steps for implementing a data classification policy in an organization.

30

Match each risk management term to its definition.

31

Match each business continuity term to its definition.

32

Match each cryptographic term to its description.

33

An organization is determining the risk treatment for a critical business process that has a high inherent risk. Which of the following is the MOST effective risk treatment strategy when the cost to mitigate exceeds the potential loss?

34

A security manager is conducting a risk assessment for a new cloud-based system. The system will store sensitive customer data. Which of the following should be the FIRST step in the risk assessment process?

35

After a data breach, the risk manager discovers that the risk assessment for the affected system had not been updated for two years. The organization's risk management policy requires annual reviews. Which of the following is the MOST significant consequence of this noncompliance?

36

A risk manager is presenting risk treatment options to senior management. Which of the following is the BEST approach to communicate risk in a way that supports informed decision-making?

37

A company is implementing a risk management program and needs to define risk appetite. Which of the following is the MOST appropriate statement of risk appetite for a financial institution?

38

During a risk assessment, the risk team identifies that a key vendor has access to sensitive data. The vendor's security posture is unclear. Which of the following is the BEST course of action?

39

Which of the following best describes residual risk?

40

A risk manager is evaluating a control that reduces the likelihood of a threat from high to low. The cost of the control is $100,000 annually. The expected loss without the control is $500,000 per year. Which of the following should the risk manager recommend?

41

An organization's risk management policy requires a quantitative risk assessment for all new projects. The project team estimates that a data breach could occur once every 5 years with an average loss of $2 million. What is the annualized loss expectancy (ALE)?

42

Which TWO of the following are key components of an information security risk assessment? (Choose two.)

43

Which TWO of the following are valid risk treatment options according to ISO 31000? (Choose two.)

44

Which THREE of the following are common challenges when implementing a risk management program in an organization? (Choose three.)

45

A company is implementing a risk management program and needs to identify the most critical assets. Which of the following is the BEST approach to prioritize assets for risk assessment?

46

During a risk assessment, an organization identifies that its legacy payment system has a high likelihood of exploitation due to unpatched vulnerabilities. The system is critical for daily operations. Which risk treatment option should the organization PRIMARILY consider?

47

A multinational organization is evaluating its risk appetite for a new cloud-based customer relationship management (CRM) system. The system will store personal data across multiple jurisdictions with varying data protection laws. The risk committee has set a risk appetite statement that allows only low residual risk. Which of the following controls is MOST critical to ensure compliance with the risk appetite?

48

An organization has recently experienced a data breach due to a misconfigured database. The root cause was a lack of proper change management. As part of the risk management process, what should the organization do NEXT after implementing corrective controls?

49

A company is developing a risk treatment plan for a set of identified risks. One risk involves a third-party vendor that hosts critical data. The risk owner recommends accepting the risk. Which of the following conditions would BEST support this decision?

50

An organization is implementing a quantitative risk analysis for a critical application. The asset value is $2,000,000. The exposure factor (EF) is 0.25, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

51

A risk assessment identifies that the organization's email system has a high likelihood of phishing attacks. The current controls include spam filtering and user awareness training. What should the organization do NEXT to manage this risk effectively?

52

During a risk assessment, a company discovers that its data backup process is incomplete: backups are performed daily but stored onsite without encryption. The risk owner proposes to accept this risk due to low likelihood of a physical breach. Which of the following is the BEST reason to challenge this acceptance?

53

An organization uses the ISO 31000 risk management framework. During the risk evaluation phase, it determines that a certain risk has a low likelihood but very high impact. The organization's risk appetite is moderate. Which of the following is the MOST appropriate risk treatment decision?

54

Which TWO of the following are key components of a risk assessment report according to best practices? (Choose two.)

55

Which THREE of the following are valid methods to identify information security risks? (Choose three.)

56

Which TWO of the following are examples of risk mitigation controls? (Choose two.)

57

A company is choosing a risk assessment methodology for a new cloud-based application. The CISO prefers a method that uses monetary values and numerical probabilities to compute annual loss expectancy. Which methodology should be selected?

58

During a risk assessment, an organization identifies that a legacy system processes credit card data and has a high likelihood of being exploited. The cost to remediate the vulnerability is $500,000, while the potential loss from a breach is $2 million with a 30% annual probability. What is the most appropriate risk treatment decision based on this information?

59

Which role is primarily responsible for ensuring that information security risks are identified, assessed, and managed within a business unit?

60

An organization calculates that the single loss expectancy (SLE) for a server failure is $10,000, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

61

A company has a risk appetite that is 'low' for operational risks. A risk assessment recently identified that a high-speed trading platform has a residual risk rating of 'high' after controls are applied. The cost to further reduce the risk is $1 million, which exceeds the expected benefit. What is the most appropriate action for the risk owner?

62

Which of the following best describes the difference between risk appetite and risk tolerance?

63

After implementing controls, an organization reassesses a risk and finds that the residual risk level exceeds the established risk tolerance. What is the most appropriate next step?

64

A security manager is preparing a risk report for the board of directors. Which of the following should be included to best support strategic risk-based decisions?

65

Which of the following is the primary purpose of a Key Risk Indicator (KRI)?

66

Which TWO of the following are common approaches to information security risk assessment?

67

Which THREE of the following are essential components of an information security risk management framework?

68

Which TWO of the following are valid risk response options?

69

Which host should be prioritized for risk mitigation based on the vulnerability scan results?

70

An employee emails a spreadsheet containing employee salaries to all staff by mistake. According to the exhibit, what is the minimum handling requirement that was violated?

71

Which of the following is the most significant risk in this architecture?

72

A financial institution is implementing a risk management program and needs to select a methodology that balances quantitative and qualitative factors, complies with regulatory requirements, and provides a consistent framework for risk assessment across business units. Which methodology would best meet these requirements?

73

A data breach has occurred exposing customer personal information. The risk manager needs to select a response to reduce the likelihood of similar incidents. Which risk response is most appropriate?

74

After implementing controls, the residual risk is calculated to be at a level that slightly exceeds the risk appetite. The business owner argues that the cost of further mitigation outweighs the benefit. What is the most appropriate action for the risk manager?

75

A company is assessing the risk of a critical system outage. The system has a maximum tolerable downtime (MTD) of 2 hours, but the current recovery time objective (RTO) is 4 hours. What is the most appropriate risk treatment?

76

A company engages a third-party vendor to process customer data. Which of the following is the most critical step in managing the associated risk?

77

A risk manager is aggregating risks across the enterprise and finds that multiple individual risks, each with low impact and low probability, could combine to create a significant risk. What is the best approach to address this?

78

An organization selects a control to mitigate a risk, but after implementation, the risk level remains unchanged. What should the risk manager do first?

79

Which of the following is the primary purpose of communicating risk assessment results to senior management?

80

A risk manager is establishing risk appetite for a new product line. Which of the following best describes the relationship between risk appetite and risk tolerance?

81

Which TWO of the following are risk treatment strategies as defined in ISO 27005?

82

Which TWO of the following are examples of key risk indicators (KRIs) for cybersecurity risk?

83

Which THREE of the following are typical steps in a qualitative risk assessment?

84

Based on the exhibit, which risk should be addressed first if the organization has limited resources?

85

A multinational corporation is expanding its cloud infrastructure across multiple regions. The risk team has identified that the shared responsibility model for cloud security is not well understood by business units. After a recent audit, several misconfigurations led to a data exposure incident that affected one region. The CISO wants to implement a risk management program that ensures consistent control across all regions. As the risk manager, what is the most effective course of action to reduce the risk of similar incidents?

86

A healthcare organization is merging with another entity and must integrate their IT systems. During due diligence, it is discovered that the acquired company has a high number of unpatched critical vulnerabilities in its electronic health record (EHR) system. The merger timeline is aggressive and the integration team wants to proceed as planned. As the risk manager, what is the best course of action?

87

A financial institution is implementing a risk-based approach to prioritize its information security initiatives. The risk manager has completed a risk assessment and identified several risks with varying impact and likelihood. Which TWO of the following are the most important benefits of using the risk assessment results to determine the order of security projects?

88

A small accounting firm with 50 employees recently suffered a ransomware attack that encrypted all client data on its file server. The firm had no backup strategy, and the attackers demanded a ransom for decryption. The firm paid the ransom, but many clients left due to loss of trust. The firm’s owner has now hired you as a part-time risk manager. Your first task is to develop a risk management program. What is the most appropriate initial step?

89

A regional hospital is required to comply with the Health Insurance Portability and Accountability Act (HIPAA). During an internal audit, it was discovered that patient electronic health records (EHRs) are transmitted over the internet without encryption. The risk manager has been asked to recommend a risk treatment. Which action should be prioritized to address this finding?

90

A large retail chain with hundreds of stores uses point-of-sale (POS) systems that run an outdated operating system. The annual risk assessment identified this as a high-risk issue because the OS is no longer patched and has known vulnerabilities. The business unit manager opposes replacing all POS systems immediately due to cost and potential disruption to operations. As the risk manager, you need to recommend a risk response that balances risk reduction with business continuity. Which strategy is most appropriate?

91

A global financial services firm uses a Monte Carlo simulation model to quantify the potential financial impact of cyber events. The model inputs include historical loss data, threat intelligence, and control effectiveness. Over the past year, the model has consistently underestimated actual losses by an average of 40%. The risk manager suspects model risk but the quantitative team argues the model is peer-reviewed. The board is concerned about the accuracy of risk reporting. What is the best course of action for the risk manager?

92

A technology startup has grown rapidly and its risk management practices are informal. The CEO has a very high risk appetite and frequently overrides risk management recommendations to accelerate product launches. After a serious data breach involving customer payment information, the board of directors demands a formal risk management program. The risk manager is tasked with changing the risk culture. The startup has limited resources but must meet contractual obligations to protect customer data. What is the most effective first step?

93

An information security manager is implementing a risk management program. Which TWO of the following activities should be performed as part of the risk assessment process?

94

Refer to the exhibit. Based on the risk register extract, which risk should the information security manager prioritize for additional treatment?

95

A multinational financial services company is implementing a new regulatory requirement that mandates enhanced encryption for all customer data in transit. The organization currently uses TLS 1.2, but the regulation requires TLS 1.3. The risk owner for the data transmission system is the head of network operations, who believes the current controls are sufficient and argues that upgrading will cause significant downtime and cost. The information security manager has assessed the risk as high due to potential regulatory fines and reputational damage. The risk owner refuses to accept the risk and insists on deferring the upgrade. The organization has a risk appetite statement that accepts moderate residual risk only after explicit approval from the CRO. The escalation process involves the risk management committee. What is the BEST course of action for the information security manager?

Practice all 95 Information Security Risk Management questions

Other CISM exam domains

Information Security ProgramInformation Security GovernanceIncident Management

Frequently asked questions

What does the Information Security Risk Management domain cover on the CISM exam?

The Information Security Risk Management domain covers the key concepts tested in this area of the CISM exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISM domains — no account required.

How many Information Security Risk Management questions are in the CISM question bank?

The Courseiva CISM question bank contains 95 questions in the Information Security Risk Management domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Information Security Risk Management for CISM?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Information Security Risk Management questions for CISM?

Yes — the session launcher on this page draws questions exclusively from the Information Security Risk Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISM domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISSPCISACRISC